b'         Audit of\nNARA\xe2\x80\x99s Telework Program\n\n\nOIG Audit Report No. 11-20\n\n\n   September 30, 2011\n\x0cTable of Contents\n\n\nExecutive Summary ........................................................................................ 3\n\nBackground ..................................................................................................... 5\n\nObjectives, Scope, Methodology .................................................................... 6\n\nAudit Results ................................................................................................... 7\n\n   Finding 1: Overall Management of NARA\'s Telework Program Lacking. 7\n\n   Finding 2: NARA\'s Telework Guidance not Consistently Implemented . 14\n\n   Finding 3: Security of NARA\'s Work-at-Home System is Vulnerable .... 20\n\nAppendix A \xe2\x80\x93 GAO Key Telework Practices for Implementation of\n  Successful Federal Telework Programs................................................... 30\n\nAppendix B \xe2\x80\x93 Management\'s Response to the Report.................................. 31\n\nAppendix C \xe2\x80\x93 Report Distribution List......................................................... 32\n\x0c                                                                          OIG Audit Report 11-20\n\n\nExecutive Summary\n\nThe National Archives and Records Administration (NARA) Office of Inspector General (OIG)\ncompleted an audit of NARA\xe2\x80\x99s Telework Program. NARA developed the \xe2\x80\x9cFlexiplace\xe2\x80\x9d pilot\nprogram to comply with a mandate in allowing eligible NARA employees the opportunity to\ntelework. Further, NARA implemented the Work-at-Home System (WAHS) to provide a remote\naccess capability to teleworkers. During this audit, we assessed whether NARA is fully\ncapitalizing on the identified benefits of telework and administering its telework program in\naccordance with Federal regulations and NARA policy.\n\nPublic Law 106-346 \xc2\xa7359, Department of Transportation and Related Agencies Appropriations\nAct, 2001 (the Appropriations Act), dated October 23, 2000, established a legislative mandate for\nFederal telework. The Appropriations Act requires each executive agency to establish a policy\nunder which eligible employees of the agency may participate in telework to the maximum\nextent possible without diminished employee performance. Further, the Appropriations Act\ndesignates the Office of Personnel Management (OPM) as the lead in ensuring the requirements\nare applied to the entire Federal workforce. One of the tools OPM has promoted is the \xe2\x80\x9cKey\nPractices for the Implementation of Successful Telework Programs.\xe2\x80\x9d Many of these key\npractices became legislatively mandated following the passage of Public Law 111-292, Telework\nEnhancement Act of 2010, which was signed into law on December 9, 2010.\n\nOur review found that although NARA has had a pilot telework program in place since\nSeptember 2001, the program does not fully encompass key best practices or facilitate the\nrealization of identified benefits associated with teleworking. Further, the implementation of\nNARA\xe2\x80\x99s pilot telework program does not reflect key objectives of the agency\xe2\x80\x99s Transformation\ninitiative. These conditions are due to inadequate managerial and administrative support of\nNARA\xe2\x80\x99s telework program. These same factors resulted in a lack of training, guidance, and\nassistance for telework supervisors, which have negatively impacted the overall implementation\nof NARA\xe2\x80\x99s telework program. The Telework Enhancement Act established many requirements\nthat were due 180 days from its enactment. NARA is currently taking efforts to implement the\nlong established key practices that have now become requirements; however, NARA is currently\nnon-compliant with the Telework Enhancement Act.\n\nAlthough OPM has identified benefits associated with telework, the practice invites risk and\nabuse if employees are not adequately trained, equipped, monitored and subject to appropriate\nsupervision. These risk factors clearly exist at NARA.\n\nFurther, our review found that NARA\xe2\x80\x99s WAHS remains vulnerable to the threats it was designed\nto mitigate. The WAHS was not fully developed, tested, or administered in accordance with\nNARA policy and NIST security standards. Security requirements have not been met and in\nsome cases remain untested. Now in full production, the WAHS is unnecessarily at risk of\ncompromise, and controls in place to mitigate or detect such an event are insufficient.\n\n\n\n\n                                              Page 3\n                           National Archives and Records Administration\n\x0c                                                                        OIG Audit Report 11-20\n\n\nOur audit identified several improvements to be made to NARA\xe2\x80\x99s overall telework program. We\nmade a number of recommendations to more thoroughly ensure the telework program meets\nmandated requirements and improvements are made to the security of the WAHS.\n\n\n\n\n                                            Page 4\n                         National Archives and Records Administration\n\x0c                                                                                              OIG Audit Report 11-20\n\n\nBackground\n\nOver the past decade, telework programs have become increasingly widespread throughout the Federal\nGovernment. The Office of Personnel Management (OPM)\xe2\x80\x94tasked by Congress to assist executive\nagencies in developing telework programs\xe2\x80\x94defines telework as \xe2\x80\x9cwork arrangements in which an\nemployee regularly performs officially assigned duties at home or other worksites geographically\nconvenient to the residence of the employee.\xe2\x80\x9d Although addressed by various names (i.e.,\n\xe2\x80\x9ctelecommuting,\xe2\x80\x9d \xe2\x80\x9cwork at home,\xe2\x80\x9d \xe2\x80\x9cflexible work,\xe2\x80\x9d etc.), the general concept of telework within the\nFederal Government has been present and in use for many years.\n\nIn fiscal year 2001, the Department of Transportation and Related Agencies Appropriation Act (Public\nLaw 106-346 \xc2\xa7359) included a provision that required each executive agency to establish a policy under\nwhich eligible employees may participate in teleworking to the maximum extent possible without\ndiminished employee performance. In complying with this requirement, on September 6, 2001, NARA\nissued interim guidance entitled \xe2\x80\x9cFlexiplace,\xe2\x80\x9d establishing a pilot telework program within the agency.\nDue to the program\xe2\x80\x99s initial success, additional interim guidance was issued over the next five years to\nextend the pilot program and allow more offices within NARA to participate. The most recent interim\nguidance extending NARA\xe2\x80\x99s pilot telework program is dated August 8, 2006.\n\nIn mid 2007, NARA recognized a need to develop an enterprise-level remote access solution, in part, to\nsupport NARA\xe2\x80\x99s telework program. In August 2008, the Work-at-Home System (WAHS) began an\ninitial pilot phase, followed by full operational capability in September 2009. The WAHS was designed\nto enable secure, remote access to selected General Support Systems (GSS) that reside on NARA\xe2\x80\x99s\nNetwork. The WAHS is licensed to support 250 concurrent teleworkers.\n\nMost recently, Congress passed the Telework Enhancement Act of 2010, which was signed into law on\nDecember 9, 2010. The Telework Enhancement Act establishes additional requirements for Federal\ntelework programs. Many of these requirements reflect key practices that were initially promoted by\nOPM and other agencies within the Federal Government (see Figure 1 for a timeline of these events).\n\nFigure 1: Timeline of NARA\xe2\x80\x99s Telework Program\n\n                                                                                           2010 Telework\n  2001 Transportation                           2006 NARA\'s Latest                        Enhancement Act;\n   Appropriation Act;                            Interim Guidance                         Further Telework\n    Requiring Each                             300-32 Extending the                      Requirements within\n  Agency to Establish a                           Telework Pilot                             the Federal\n    Telework Policy                                  Program                                Government\n\n\n\n\n                          2001 NARA Develops                             2009 NARA\n                            the "Flexiplace"                           Implements the\n                             Telework Pilot                           WAHS to Provide\n                                Program                               Remote Access to\n                                                                          NARANet\n\n\n\n\n                                                       Page 5\n                                    National Archives and Records Administration\n\x0c                                                                                          OIG Audit Report 11-20\n\n\nObjectives, Scope, Methodology\n\nThe overall objective of this audit was to determine whether NARA is fully capitalizing on the\nidentified benefits of telework and administering its telework program in accordance with\nFederal regulation and NARA policy. Our review focused on whether NARA management was\naligning its telework program to meet established and recently enhanced Federal telework\nrequirements. Further, this audit covered the implementation of NARA\xe2\x80\x99s telework program in\nterms of supervisory involvement and information security.\n\nTo accomplish our objective, we interviewed key NARA personnel from the Office of\nAdministration 1 and the Office of Information Services and examined NARA policies governing\nits telework program. We gained an understanding of NARA\xe2\x80\x99s documentation and approval\nprocess for establishing individual telework arrangements. We reviewed program\ndocumentation for NARA\xe2\x80\x99s Work-at-Home System (WAHS) in regards to information security.\nFurther, we met with a sample of telework supervisors and teleworkers from offices throughout\nthe agency to observe and gain an understanding of the actual implementation of the telework\nprogram. We compared the implementation of the telework program to NARA\xe2\x80\x99s policy. In\naddition, we compared NARA\xe2\x80\x99s telework policy and WAHS to applicable Federal regulation and\nother telework guidelines, specifically: the Department of Transportation and Related Agencies\nAppropriation Act, 2001 (Public Law 106-346 \xc2\xa7359); The Telework Enhancement Act of 2010\n(Public Law 111-292); National Institute of Standards and Technology (NIST) SP 800-46, Guide\nto Enterprise Telework and Remote Access Security; Office of Personnel Management (OPM),\nGuide to Telework in the Federal Government; Government Accountability Office (GAO)-04-\n950T, Human Capital: Key Practices to Increasing Federal Telework; and GAO-03-679, Human\nCapital: Further Guidance, Assistance, and Coordination Can Improve Federal Telework\nEfforts.\n\nOur audit work was performed at Archives II in College Park, Maryland; Archives I in\nWashington, DC; and various telework alternative work locations throughout Maryland. The\naudit took place between February 2011 and July 2011. We conducted this audit in accordance\nwith generally accepted government auditing standards. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n1\n  NARA underwent a Transformation effort during the timeframe of this audit. Office names and symbols have\nsubsequently changed to reflect the reorganization. However, the previous office names and symbols are used in the\nbody of this report to reflect the historical names of the offices involved throughout the development of the telework\nprogram, as well as to remain consistent with the office names used in applicable NARA policy. Recommendations\nare addressed using the most current office and management titles.\n\n\n                                                    Page 6\n                                 National Archives and Records Administration\n\x0c                                                                          OIG Audit Report 11-20\n\n\nAudit Results\n\n1. Overall Management of NARA\xe2\x80\x99s Telework Program Lacking\nAlthough NARA has an established pilot telework program, the program does not fully\nencompass key best practices or facilitate the complete realization of identified benefits\nassociated with teleworking. These conditions exist because NARA has not provided adequate\nmanagerial and administrative support, nor significantly updated or promoted its nearly decade-\nold interim guidance\xe2\x80\x94despite ever increasing emphasis on telework throughout the Federal\nGovernment. As a result, NARA\xe2\x80\x99s telework program must try to catch-up to well established\nbest practices that have now become legislatively mandated telework requirements.\nAdditionally, in delaying action until now, NARA has missed opportunities to further reduce\ncosts, increase resiliency and preparedness, and enhance the quality of employee work-life.\n\nPublic Law 106-346 \xc2\xa7359, Department of Transportation and Related Agencies Appropriations\nAct, 2001 (the Appropriations Act), dated October 23, 2000, provides the initial legislative\nmandate for Federal telework. The Appropriations Act requires each executive agency to\nestablish a policy under which eligible employees of the agency may participate in telework to\nthe maximum extent possible without diminished employee performance. The conference report\nfor the Appropriations Act provides additional detail on this requirement, stating \xe2\x80\x9ceach agency\nparticipating in the program shall develop criteria to be used in implementing such a policy and\nensure that managerial, logistical, organizational, or other barriers to full implementation and\nsuccessful functioning of the policy are removed. Each agency should provide for adequate\nadministrative, human resources, technical, and logistical support for carrying out the policy.\xe2\x80\x9d\nFurther, the Appropriations Act designates the Office of Personnel Management (OPM) as the\nlead in ensuring the requirements are applied to the entire Federal workforce.\n\nIn this capacity, OPM assists agencies in developing policy and reports on telework progress,\nguidance, and best practices. OPM\xe2\x80\x99s telework website (telework.gov) contains a number of tools\nand resources to aid agencies in staying abreast of the evolving telework best practices.\nSpecifically, OPM has adopted \xe2\x80\x9cKey Practices for the Implementation of Successful Telework\nPrograms\xe2\x80\x9d (see Appendix A for the complete list). These key practices, which were first\nidentified by the U.S. Government Accountability Office (GAO) in July 2003, are divided into\nseven categories that range from planning to program evaluation.\n\nIn an initial effort to comply with the telework requirements of the Appropriations Act, NARA\nissued Interim Guidance 300-13, Flexiplace, on September 6, 2001. In addition to establishing a\npilot telework program within NARA, the guidance details responsibilities, participation\neligibility, standards of conduct, and other requirements of the program. Minor updates were\nmade to NARA\xe2\x80\x99s interim guidance over the years; however, the majority of the policy has\nremained unchanged.\n\nDuring our review\xe2\x80\x94while examining NARA\xe2\x80\x99s telework policy and program implementation and\nadministration\xe2\x80\x94we identified a number of key practices that had yet to be incorporated into\n\n                                              Page 7\n                           National Archives and Records Administration\n\x0c                                                                           OIG Audit Report 11-20\n\n\nNARA\xe2\x80\x99s telework program. These unimplemented key practices are described under the seven\ncategories below.\n\n      \xe2\x80\xa2   Program Planning. Until recently, NARA had not established a telework\n          coordinator. According to OPM, this is the first of many important steps in planning\n          for an effective telework program. Further, NARA has not established a cross-\n          functional team, which has resulted in the separate development of the telework\n          program and the Office of Information Services (NH) Work-at-Home System\n          (WAHS). Proper funding is also necessary for an effective telework program.\n          Officials from the Office of Administration (NA) stated funding has not been\n          sufficient to meet the needs of NARA\xe2\x80\x99s telework program. NA officials estimate\n          they only have funding for one quarter of a full time equivalent (FTE) devoted to the\n          telework program, however, they estimate it requires at least one FTE\n\n      \xe2\x80\xa2   Telework Policy. A major component of an effective telework policy includes\n          developing a telework agreement for use between all teleworkers and their managers.\n          NARA\xe2\x80\x99s pilot telework policy only requires telework agreements to be established\n          between teleworkers who participate on a recurring basis. Ad hoc teleworkers are not\n          currently required to sign an agreement. Further, in order for the policy to be\n          effective, it should be free from ambiguity and redundancy. NARA\xe2\x80\x99s policy contains\n          conflicting and unclear statements; examples include the number of telework days\n          allowed and whether or not Senior Executives may participate.\n\n      \xe2\x80\xa2   Performance Management. GAO reported that agencies need to establish\n          guidelines to minimize adverse impacts that telework can have on non-teleworkers\n          before employees begin to work at alternative worksites. Although NA has identified\n          this as a scenario that is present at NARA\xe2\x80\x94which negatively impacts telework\n          participation\xe2\x80\x94guidelines to minimize the adverse impact on non-teleworkers have\n          not been established.\n\n      \xe2\x80\xa2   Managerial Support. GAO identified that it is critical to obtain support from top\n          management and to address managerial resistance in establishing an effective\n          telework program. Based on interviews with telework personnel, coupled with the\n          historically slow growth of telework participation within NARA, further\n          improvement in management support is needed. OPM encourages agencies and\n          managers to be creative in considering the use of telework; it should not be an \xe2\x80\x9call or\n          none\xe2\x80\x9d proposition. OPM guidance further states most, if not all, jobs include some\n          duties that are considered \xe2\x80\x9cportable\xe2\x80\x9d and do not necessarily require the employee to\n          be physically present at the regular worksite.\n\n      \xe2\x80\xa2   Training and Publicizing. OPM\xe2\x80\x99s key practices state, at a minimum, telework\n          training should be provided to managers and teleworkers. According to NA\n          personnel, NARA has offered very little training related to telework. NA officials\n          stated an indirect effort to promote telework involved requiring NARA employees to\n          differentiate telework from duty station work on their timesheets; however, again\n\n\n                                             Page 8\n                          National Archives and Records Administration\n\x0c                                                                           OIG Audit Report 11-20\n\n\n           citing lack of resources, NA stated very few specific telework promotional activities\n           have taken place.\n\n       \xe2\x80\xa2   Technology. OPM key practices report agencies should conduct an assessment of\n           teleworker and organization technology needs. Further, the key practices include\n           providing technical support for teleworkers. NA and NH did not establish a cross-\n           functional team to determine the requirements for NARA\xe2\x80\x99s WAHS. As a result,\n           required capabilities did not fully reflect actual needs. In addition, NARA telework\n           policy is ambiguous in terms of whether or not NARA provides technical support to\n           teleworkers, stating \xe2\x80\x9cthe employee installs, services, and maintains any personal\n           equipment and furniture to be used.\xe2\x80\x9d NARA does not specifically mention technical\n           support in its telework guidance.\n\n       \xe2\x80\xa2   Program Evaluation. GAO reported that agencies should develop program\n           evaluation tools and use such tools from the very inception of the program to identify\n           problems or issues with the program and to develop an action plan to guide any\n           necessary changes. In addition, the key practices include tracking participation\n           numbers with a reliable system. NARA has not established consistent processes,\n           procedures, or tracking systems to collect data to evaluate the telework program.\n           Further, until recently, NARA has not used a reliable system to track telework\n           participation.\n\nRegular attention by agencies to the key practices is important to foster program growth and\nremove barriers to telework participation. For example, in 2002, OPM had already reported that\ntraining was by far the most frequently cited tool for expanding telework participation and\naddressing the wide array of telework barriers and concerns. However, as mentioned above,\ntelework training has yet to be fully utilized at NARA. The results of not fully implementing\nwell established telework key practices is reflected in the relatively flat growth in number of\nNARA employees participating in the telework program over the years.\n\nManagement of NARA\xe2\x80\x99s Telework Program\n\nAround the time NARA established its initial pilot telework program in September 2001, NA\nbegan providing OPM with data related to NARA employee participation and other progress\nmeasurements. OPM compiles this information from each agency on an annual basis and then\nreports to Congress on the status of telework in the Federal Government. The chart below\ndepicts the data NARA provided to OPM\xe2\x80\x94as reported in OPM\xe2\x80\x99s annual status reports\xe2\x80\x94\nincluding the number of staff eligible to telework and the number of actual teleworkers at NARA\n(see Figure 2).\n\n\n\n\n                                              Page 9\n                           National Archives and Records Administration\n\x0c                                                                                         OIG Audit Report 11-20\n\n\nFigure 2: NARA\'s Input to Annual OPM Data Calls Reported to Congress\n\n                                3500\n\n                                3000\n\n                                2500\n               NARA Employees\n\n\n                                2000\n\n                                1500\n\n                                1000\n\n                                 500\n\n                                  0\n                                       2001   2002   2003   2004    2005   2006   2007    2008   2009\n        Eligible Employees 1500               1457   3117   1767     85    1300   1086    2780   1054\n        Teleworkers                     38     80     165    170    129     123    128    205    334\n\n\n\nAlthough NA has recently implemented a more scientific method of tabulating telework data\nwithin NARA, the chart above provides a historical perspective of the level of management\nafforded to reporting NARA telework data to OPM. When asked about the fluctuations in\nnumber of NARA employees eligible to telework from year to year, NA personnel stated \xe2\x80\x9cbad\ndata\xe2\x80\x9d was reported in some years. Other factors may include discrepancies in calculation\nmethods. This data is also used in measuring goals of overall telework participation levels. NA\npersonnel stated the participation goal of NARA\xe2\x80\x99s telework program is to have at least 15\npercent of eligible employees telework. However, without consistent eligibility criteria or\nmeasuring methods, NARA cannot reasonably determine if it is meeting its goal. For example,\nthe last two years of data reported indicate participation levels jumped from 7 percent to 32\npercent. Although there was notable growth in telework participation during this period, the\nincreased participation rate is exaggerated by a drastic reduction in the number of telework\neligible staff reported.\n\nIn terms of overall management of NARA\xe2\x80\x99s telework program, NA personnel stated until\nrecently, NARA did not have a designated telework coordinator or any other staff specifically\ndedicated to the management of the program. OPM guidance states each agency should\ndesignate a telework coordinator who acts as the key contact for policy and program questions.\nFurther, OPM guidance instructs managers and teleworkers to maintain frequent contact with\ntheir telework coordinator to ensure the agency\xe2\x80\x99s policy and procedures are properly applied and\nto ensure awareness of the full range of support and resources available. During the entrance\nconference with NA, management was unable to identify the NARA staff member listed on the\nOPM telework website as the Telework Coordinator for NARA\xe2\x80\x99s program. Further, the phone\nnumber listed on NARA\xe2\x80\x99s most recent Interim Guidance is outdated and does not belong to the\nperson listed, nor does it belong to the person currently responsible for providing telework\n\n                                                           Page 10\n                                        National Archives and Records Administration\n\x0c                                                                              OIG Audit Report 11-20\n\n\nassistance. NA cited turnover and insufficient resources for the reasoning behind the current\nmanagement state of NARA\xe2\x80\x99s telework program.\n\nManagement of NARA\xe2\x80\x99s Telework Policy\n\nAnother basic tenet of a successful telework program involves developing an agency-wide\ntelework policy. NARA issued Interim Guidance 300-13, Flexiplace, on September 6, 2001.\nThe purpose of this initial guidance was to establish a pilot telework program at NARA for a six-\nmonth period beginning on October 1, 2001. Based on the success of the initial telework\nprogram, an extension of the pilot was granted on three separate occasions through the issuance\nof the following revised interim guidance:\n\n   \xe2\x80\xa2   Interim Guidance 300-21, Flexiplace, dated November 14, 2002;\n   \xe2\x80\xa2   Interim Guidance 300-28, Flexiplace, dated October 19, 2005; and\n   \xe2\x80\xa2   Interim Guidance 300-32, Flexiplace, dated August 8, 2006.\n\nAll three updates made to NARA\xe2\x80\x99s telework guidance state the same purpose, which is to extend\nthe pilot program. Apart from revisions to eligibility qualifications and the number of\nspecifically identified NARA offices allowed to participate in recurring telework, very few\nchanges have been made in comparison to NARA\xe2\x80\x99s initial version issued in September 2001.\nFurthermore, the telework agreement and arrangement forms\xe2\x80\x94which are used to document\ntelework agreements between managers and teleworkers\xe2\x80\x94have remained unchanged for nearly\nten years, and contain references to outdated policy.\n\nAlthough many key telework best practices were identified by OPM and GAO as early as July\n2003, NARA\xe2\x80\x99s subsequently issued revised interim guidance did not reflect these key practices.\nFurthermore, after nearly a decade, NARA\xe2\x80\x99s telework program remains in a pilot phase, and the\nguidance remains \xe2\x80\x9cinterim.\xe2\x80\x9d NA management recognizes that the telework policy needs to be\nrevised, stating in one meeting \xe2\x80\x9ceven the name \xe2\x80\x98Flexiplace\xe2\x80\x99 is outdated.\xe2\x80\x9d NA officials stated they are\nin the process of revising the telework policy.\n\nIncreased Emphasis on Telework\n\nOver the last few years, NARA\xe2\x80\x99s telework program has remained relatively stationary, with few\nupdates to the policy, minimal promoting and training, and little overall management attention.\nHowever, during the same timeframe, telework practices were evolving more drastically\nelsewhere in the Federal Government. Apart from the key practices identified earlier, OPM\xe2\x80\x99s\nannual reports to congress have consistently provided lessons learned and additional guidance\nbased on information canvassed from agencies throughout the Federal Government. Further,\nOPM has provided updated guides on teleworking, which outline practical information to assist\nagencies in implementing telework programs.\n\nIncreased emphasis on telework has been observed at all levels of the government. In March\n2010, the President hosted a White House Forum on \xe2\x80\x9cWork-Life Balance and the Economics of\nWorkplace Flexibility.\xe2\x80\x9d The forum identified evidence supporting a potential boost in\nproductivity and morale as a result of implementing flexible workplace practices. Other benefits\n\n\n                                               Page 11\n                            National Archives and Records Administration\n\x0c                                                                            OIG Audit Report 11-20\n\n\nassociated with flexible workplace arrangements identified include improved employee health\nand decreased absenteeism\xe2\x80\x94a major cost for employers. The forum report concluded by stating\n\xe2\x80\x9c\xe2\x80\xa6it is critical for the 21st century U.S. workplace to be organized for the 21st century\nworkforce.\xe2\x80\x9d\n\nFurthermore, through a number of legislative actions, Congress has promoted telework programs\nin an effort to further accomplish a number of positive outcomes. This culminated in the passage\nof the Telework Enhancement Act of 2010, which was signed into law on December 9, 2010.\nThe Telework Enhancement Act legislatively mandates many of the key practices identified\nearly on by OPM and GAO. Some of which include:\n\n   \xe2\x80\xa2   Designating a Telework Managing Officer;\n   \xe2\x80\xa2   Notifying all employees of the agency of their eligibility to telework;\n   \xe2\x80\xa2   Requiring all teleworkers to have a written agreement;\n   \xe2\x80\xa2   Ensuring that an interactive telework training program is in place for all eligible\n       employees, managers, and teleworkers;\n   \xe2\x80\xa2   Purchasing computer systems that enable and support telework;\n   \xe2\x80\xa2   Submitting data to OPM reporting on the degree of telework participation; and\n   \xe2\x80\xa2   Setting and reporting on telework related goals.\n\nNow that these key practices have become mandatory, NARA must ensure compliance. The\nmajority of the requirements contained within the Telework Enhancement Act were to be\nimplemented by June 7, 2011 (180 days after the act was signed into law). NA officials stated\nthey were in the process of updating NARA\xe2\x80\x99s telework policy and implementing the newly\nmandated requirements of the Telework Enhancement Act. However, as of the June 7, 2011\ndeadline, NARA has yet to issue revised policy or guidance pertaining to its telework program.\nNA personnel stated they expect the policy to be issued shortly.\n\nImplications of Delayed Action\n\nOPM and agencies throughout the Federal Government have identified and reported numerous\nbenefits associated with teleworking, some of which include:\n\n   \xe2\x80\xa2   Assists with recruiting and retaining the best possible workforce,\n   \xe2\x80\xa2   Ensures continuity of operations and maintains operations during emergency events,\n   \xe2\x80\xa2   Promotes management effectiveness by targeting reductions in management costs related\n       to employee turnover and absenteeism,\n   \xe2\x80\xa2   Reduces real estate costs, transit costs, and environmental impact,\n   \xe2\x80\xa2   Enhances work/life effectiveness and balance, and\n   \xe2\x80\xa2   Allows employees to better manage their work and family obligations, thereby retaining a\n       more resilient, results-oriented workforce better able to meet agency missions and goals.\n\nOn June 8, 2011\xe2\x80\x94the day after many of the Telework Enhancement Act requirements went into\neffect\xe2\x80\x94representatives from the Nuclear Regulatory Commission (NRC) and the General\nServices Administration (GSA) spoke at a forum detailing the benefits of telework realized at\ntheir respective agencies. The representatives noted that it was not a coincidence that their\n\n                                              Page 12\n                           National Archives and Records Administration\n\x0c                                                                          OIG Audit Report 11-20\n\n\nagencies had well established telework programs and also ranked in the top-ten of OPM\xe2\x80\x99s annual\nFederal Employee Viewpoint Survey in terms of employee satisfaction (NRC: first place; GSA:\nseventh place). In contrast, NARA\xe2\x80\x94with its less developed telework program\xe2\x80\x94is currently tied\nfor last place in a ranking conducted by the Partnership for Public Service. Although telework is\nonly one factor, with the passage of the Telework Enhancement Act, NARA must ensure it is\nthoroughly addressed. Until NARA devotes the resources and attention necessary to implement\nits telework program consistent with mandates and key practices, the agency will continue to\ndelay the full realization of identified telework related benefits and remain non-compliant with\nthe Telework Enhancement Act. Offering employees the opportunity to telework can result in\nheightened job satisfaction. If properly instituted at NARA, teleworking can help support\nNARA\'s transformation initiative of making NARA "A Great Place to Work."\n\nRecommendations\n\n1. We recommend the Chief Human Capital Officer (H):\n\n       a. Revise NARA\xe2\x80\x99s telework policy and implement NARA\xe2\x80\x99s telework program to\n          incorporate OPM and GAO\xe2\x80\x99s \xe2\x80\x9cKey Practices for the Implementation of Successful\n          Telework Programs.\xe2\x80\x9d\n       b. Monitor compliance with deadlines and requirements established in the Telework\n          Enhancement Act.\n       c. Establish a cross functional team with the Office of Information Services (I) to ensure\n          remote access capabilities will meet increased NARA telework demands and to\n          ensure appropriate security guidance is included in NARA telework policy.\n       d. Develop a method and common criteria for tracking telework participation.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                              Page 13\n                           National Archives and Records Administration\n\x0c                                                                           OIG Audit Report 11-20\n\n\n2. NARA\xe2\x80\x99s Telework Guidance not Consistently Implemented\nOur review revealed a number of telework supervisors did not consistently and properly\nimplement NARA\xe2\x80\x99s telework program in accordance with NARA policy and OPM guidance.\nThis occurred due to an overall lack of telework training, misunderstanding of telework guidance\nand forms, and confusion as to who NARA\xe2\x80\x99s telework coordinator is and how to obtain\nadditional assistance regarding NARA\xe2\x80\x99s telework program. As a result, telework is not always\nconducted appropriately and required telework supervision and management is often not\nachieved.\n\nNARA Interim Guidance 300-32, Flexiplace, dated August 8, 2006, is the most recent version of\nNARA\xe2\x80\x99s telework policy. Like previous versions, the policy incorporates telework supervisor\nresponsibilities. The main supervisory responsibilities include approving, disapproving, or\nterminating telework arrangements, as well as, monitoring teleworker productivity and\nperformance. To further facilitate these responsibilities, NARA\xe2\x80\x99s telework policy contains a\nnumber of documentation requirements. The forms used in support of NARA\xe2\x80\x99s telework\nprogram include the following:\n\n   \xe2\x80\xa2   NA Form 3038, Request for Ad Hoc Flexiplace Arrangement\xe2\x80\x94for teleworkers\n       participating on an ad hoc basis, this document describes the hours or days being\n       requested, the specific assignments or projects to be worked on during the period away\n       from the office, and the products or progress that can reasonably be expected to be\n       accomplished during the period away from the office. The form must be submitted and\n       written supervisor approval granted prior to the ad hoc telework commencing and signed\n       again upon review of the accomplishments documented at the completion of the\n       telework.\n\n   \xe2\x80\xa2   NA Form 3039, Request for Recurring, Scheduled Flexiplace Arrangement\xe2\x80\x94for\n       teleworkers participating on a recurring basis, this request form contains the telework\n       employee\xe2\x80\x99s name and occupational information, expected duration of proposed telework\n       arrangement, specific work schedule, and other evaluation information. The form must\n       be submitted and approved by the office head and the employee\xe2\x80\x99s immediate supervisor\n       prior to the recurring telework commencing.\n\n   \xe2\x80\xa2   NA Form 3040, Flexiplace Agreement\xe2\x80\x94NARA\xe2\x80\x99s Interim Guidance requires telework\n       candidates to enter into this agreement prior to beginning a recurring telework schedule.\n       The form documents the duty station, alternative workplace, and work schedule, and\n       includes additional requirements that must be met by the teleworker and supervisor.\n       Once completed, the form must be signed and retained by both the telework employee\n       and supervisor.\n\n   \xe2\x80\xa2   NA Form 3041, Self-Certification Safety Checklist for Home-Based Flexiplace\n       Participants\xe2\x80\x94this form, completed by the telework candidate, provides a level of\n       assurance that the alternative workplace proposed is a safe work environment. The form\n       includes the employee\xe2\x80\x99s work address and alternate worksite location, as well as a\n       questionnaire related to the workplace environment and computer workstation. The form\n\n                                             Page 14\n                          National Archives and Records Administration\n\x0c                                                                             OIG Audit Report 11-20\n\n\n       must be submitted and receive supervisory approval before either ad hoc or recurring\n       telework may commence.\n\nIn addition to NARA policy, OPM\xe2\x80\x99s \xe2\x80\x9cGuide to Telework in the Federal Government,\xe2\x80\x9d provides\ninsight on how to be an effective telework manager. The guidance states the teleworker and\nmanager should enter into a written agreement for every type of telework, whether the employee\nteleworks regularly or ad hoc. The written agreement provides a framework for the discussion\nthat needs to take place between the manager and teleworker about expectations. Further, OPM\nstates telework agreements are \xe2\x80\x9cliving documents\xe2\x80\x9d that should be revisited by the manager and\nteleworker and re-signed regularly, preferably at least once a year. The guidance states\nmanagement expectations of a teleworker\xe2\x80\x99s performance should be clearly addressed in the\ntelework agreement. Lastly, as with onsite employees, teleworkers must be held accountable for\nthe results they produce.\n\nIn performing our review, we interviewed 19 telework supervisors from nine different offices\nwithin NARA and requested the telework documentation of the over 100 telework staff they\ncollectively supervise. The documentation sampled represented nearly one third of all NARA\nteleworkers. In addition, we interviewed and observed five teleworkers from their respective\nalternative worksites. Based on our interviews and observations, and our analysis of telework\ndocumentation, we determined a number of telework supervisors did not consistently and\nproperly implement NARA\xe2\x80\x99s telework program in accordance with NARA policy and OPM\nguidance. Specifically, many of the controls put in place to promote oversight, accountability,\nand productivity were not fully applied by all telework supervisors.\n\nFor example, one basic telework supervisor oversight and accountability practice involves\nmaintaining an awareness of employee work schedules. Both NARA Interim Guidance 300-32\nand NA Form 3040 require the employee to either 1) log in and log out each workday via e-mail\nto their supervisor, or 2) complete a self-certification statement if they log in and log out by\ntelephone. Despite this requirement, not all supervisors interviewed required their telework staff\nto directly e-mail workday log ins and log outs. Further, when asked, not all telework staff were\naware of this requirement.\n\nNA Form 3038, Request for Ad Hoc Flexiplace Arrangement contains a built in control related to\naccountability and productivity. The top half of the form includes information related to the\nexpected work to be conducted while teleworking. The bottom half of the form, which is\ncompleted after the telework has taken place, describes the actual work accomplishments. The\nsupervisor is required to sign off both prior to the telework and once again after the telework is\ncompleted. NARA policy requires that supervisors retain these completed forms for at least one\nyear. However, a number of NA Forms were either not signed in a timely manner or all together\nmissing from the samples we requested.\n\nIn addition, comparisons of the telework documentation provided by the supervisors and\nNARA\xe2\x80\x99s remote user access log further substantiate non-adherence to the aforementioned\ncontrols. Although most supervisors stated that sign in/out e-mail procedures were implemented\nwithin their respective offices, access logs identified a number of teleworkers did not access their\ne-mail within the surrounding hours of their scheduled telework. A number of factors may have\n\n\n                                               Page 15\n                            National Archives and Records Administration\n\x0c                                                                           OIG Audit Report 11-20\n\n\ncontributed to employees not sending e-mails, including access and IT problems; however, in\nsituations where an e-mail cannot be sent, NARA policy requires the employee to call their\nsupervisor and complete a self-certification statement. Furthermore, in terms of retaining\ndocumentation supporting approval, the remote access log indicated telework was performed\nmore often than the supervisor provided support documentation indicated.\n\nFurther, we identified numerous situations in which supervisors approved incomplete or\ninaccurate telework documentation, or allowed telework to take place prior to having their staff\ncomplete the required agreements and forms. Analysis of the four standard telework forms and\nthe identified deficiencies pertaining to each are described below.\n\n                                        During the review, we obtained documentation for\n     NA Form 3038, Request for          teleworkers who participated on an ad hoc basis. Of the\n         Ad Hoc Flexiplace              32 ad hoc teleworkers sampled, 21 (or 66 percent) had\n           Arrangement                  improperly completed NA Form 3038, Request for Ad\n                                        Hoc Flexiplace Arrangements (see chart on the left). A\n                         Properly       number of the NA Form 3038s were not approved prior\n              34%                       to the telework taking place. Others did not provide\n                         Completed\n       66%\n                                        explanations of the specific assignments or projects\n                         Improperly\n                         Completed      expected to be worked on during the time period away\n                                        from the office and some had blanket approval that\n                                        spanned months without listing specific dates for the ad\nhoc work to take place. Further, a number of the forms provided generic accomplishment\nresponses and supervisors often did not sign off on the forms in a timely manner once the\ntelework was completed.\n\nIn addition, we obtained documentation for 71\nteleworkers who participated on a recurring basis. Of             NA Form 3039, Request for\nthose sampled, 31 teleworkers (or 44 percent) had                    Recurring, Scheduled\nimproperly completed NA Form 3039, Request for                     Flexiplace Arrangement\nRecurring, Scheduled Flexiplace Arrangements (see\nchart on the right). Examples of the issues observed                                    Properly\ninclude: unsigned and unapproved arrangements,                     44%                  Completed\narrangements with up to four days per week of telework                     56%\n                                                                                        Improperly\nwithout special approval, arrangements that had                                         Completed\nsurpassed their durations by up to two years,\narrangements that did not include the location of the\noffsite workplace, arrangements with an offsite work location listed as a post office box or that\ndid not match the location listed on other documents, and arrangements in which work schedules\ndid not match those listed on other documents.\n\n\n     NA Form 3040, Flexiplace           Although OPM guidance stipulates all teleworkers\n           Agreement                    should sign an agreement, NARA policy only requires\n                                        agreements for employees who telework on a recurring\n                                        basis. Of the 71 NA Form 3040, Flexiplace Agreements\n\n      35%                 Properly\n                          Completed          Page 16\n               65%        Improperly rchives and Records Administration\n                          Completed\n\x0c                                                                            OIG Audit Report 11-20\n\n\nreviewed, 25 (or 35 percent) were improperly completed (see chart on the left). Examples of the\nissues identified include: agreements that had not been updated in over four years, agreements\nthat were not signed or dated, agreements that did not include work schedules or the address of\nthe alternative workplace, and agreements that were incomplete or altered to remove pertinent\ndata.\n\nFurther, NARA policy requires all teleworkers\n(regardless of ad hoc or recurring) to complete a NA              NA Form 3041, Self-\nForm 3041, Self-Certification Checklist for Home-Based         Certification Checklist for\nFlexiplace Participants. However, not all sampled               Flexiplace Participants\nNARA teleworkers had completed the checklist. Of the\n95 available for review, 63 (or 66 percent) had completed                           Properly\n                                                                         34%\nNA Form 3041 improperly (see chart on the right).                                   Completed\nExamples of the issues observed include: forms that did         66%                 Improperly\nnot contain the address of the location being self-                                 Completed\ncertified, forms that were not signed or dated, supervisors\nthat were unaware that checklists had to be completed by\nemployees teleworking on an ad hoc basis, and telework allowed prior to obtaining an approved\nchecklist.\n\nOverall Lack of Telework Training\n\nOPM identified training as the most frequently cited tool for addressing telework concerns.\nFurther, OPM has highlighted how telework training has increased the success of telework\nprograms at other agencies. However, during our interviews with teleworkers and telework\nsupervisors, none were aware of or could recall participating in telework specific training. NA\nofficials acknowledged, due to a lack of resources, there has not been an organized effort to train\ntelework managers and staff.\n\nThe Telework Enhancement Act has established new requirements related to telework training.\nAccording to the Act, agencies must ensure that an interactive telework training program is\nprovided to all managers and all eligible telework employees. Further, employees must\nsuccessfully complete the interactive training before entering into a written agreement to\ntelework.\n\nMisunderstanding of Telework Guidance and Forms\n\nOPM guidance states telework policy for each agency should be designed and written to serve as\na useful, practical resource to telework employees, managers, supervisors and others with a need\nto know about the agency\xe2\x80\x99s telework program. Further, OPM recommends the policy be\norganized logically and avoid the use of ambiguous terms and redundancies. Although most\ntelework supervisors stated they relied almost exclusively on NARA\xe2\x80\x99s telework policy to\nimplement the telework program within their respective offices, the inconsistencies between\noffices highlighted a number of misunderstandings regarding the telework policy. For example,\nsome supervisors were unsure which forms applied to each type of telework situation, in some\ncases this resulted in teleworkers not completing the required forms.\n\n\n                                              Page 17\n                           National Archives and Records Administration\n\x0c                                                                           OIG Audit Report 11-20\n\n\n\nFurther, NARA\xe2\x80\x99s policy contains a number of ambiguous and redundant requirements. For\nexample, in terms of the number of days per week an employee can participate as a recurring\nteleworker, NARA\xe2\x80\x99s policy offers three different answers: 1) one or more days per week, 2) up\nto two days per week, and 3) typically less than half of the employee\xe2\x80\x99s official duty station in\nany given pay period. Similarly, NARA\xe2\x80\x99s limit on the number of days an employee can telework\nad hoc is equally ambiguous, the policy states the following: 1) the employee typically works for\na day or two, 2) no more than two day-long periods or equivalent time during a pay period, and\n3) as long as your supervisor is satisfied with your performance during these occasional ad hoc\nperiods (typically no more than one ad hoc period during a given pay period), there is no limit to\nthe number of ad hoc periods you may work.\n\nAnother concept interviewed supervisors were unsure about pertained to whether or not Senior\nExecutives were permitted to telework. NARA\xe2\x80\x99s policy does not specifically address this issue.\nHowever, OPM states managers and supervisors must be committed to using telework to the\nfullest extent possible if Federal telework programs are to succeed. OPM\xe2\x80\x94citing research in the\nwork/life field\xe2\x80\x94states supervisors, managers and senior executives who model the use of\nworkplace flexibilities such as telework in any organization serve as key drivers in effecting\npositive cultural change in that organization.\n\nLimited Awareness of Available Telework Guidance and Assistance\n\nOPM and GAO best practices have long established that agencies should designate a Telework\nCoordinator who acts as the key contact for policy and program questions. Further, OPM states\nmanagers should maintain frequent contact with the Telework Coordinator to ensure the\nagency\xe2\x80\x99s policy and procedures are properly applied and to ensure full awareness of the range of\nsupport and resources available. However, during our interviews of teleworkers and supervisors,\nwe asked if anyone was familiar with NARA\xe2\x80\x99s Telework Coordinator. Only one of the\ninterviewees was able to identify NARA\xe2\x80\x99s Telework Coordinator and many were unaware that\nthere was even such a position at NARA. These responses were expected, as NA had only\nrecently officially assigned the Telework Coordinator position.\n\nWith the enactment of the Telework Enhancement Act, agencies are now required to designate a\nTelework Managing Officer. The Telework Managing Officer will take on the role of serving as\nthe primary point of contact for policy and program questions. OPM guidance recommends\ntelework staff that have questions or issues should now direct their concerns to the Telework\nManaging Officer. In addition, the Telework Managing Officer will be a senior official with\ndirect access to the Archivist and will be devoted to policy development and implementation\nrelated to NARA\xe2\x80\x99s telework program.\n\nImpact of Inconsistent and Inadequate Implementation of Telework Policy and Guidance\n\nEffective performance management is recognized as a key component of a successful telework\nprogram. OPM guidance states management expectations for performance should be clearly\naddressed\xe2\x80\x94and like non-teleworking employees\xe2\x80\x94teleworkers should be held accountable for\nthe results they produce. NARA\xe2\x80\x99s telework policy provides a number of tools to facilitate\n\n\n                                              Page 18\n                           National Archives and Records Administration\n\x0c                                                                          OIG Audit Report 11-20\n\n\ntelework oversight and communication between the supervisor and teleworker. However, due to\na lack of adequate training, guidance, and support, supervisors are not consistently implementing\nthe telework program in accordance with policy and best practices. NA officials acknowledged\nfurther efforts need to be made to ensure NARA\xe2\x80\x99s telework program meets established\nrequirements.\n\nFurther, although agencies are required to establish policy under which eligible employees may\nparticipate in telework to the maximum extent possible, this is dependent upon undiminished\nemployee performance. OPM guidance states the manager must be kept apprised of the\nteleworker\xe2\x80\x99s schedule, how to make contact with the teleworker, and the status of all pending\nwork. However, NARA telework managers have not consistently implemented the controls that\nfacilitate communication and mitigate the inherent reduction in physical oversight and\nsupervision associated with telework. Until NARA fully implements its telework program in\naccordance with the Telework Enhancement Act and best practices, it will not be able to ensure\nproper telework performance management.\n\nRecommendations\n\n2. We recommend the Chief Human Capital Officer (H):\n\n       a. Develop training in accordance with the Telework Enhancement Act and OPM\n          guidance to ensure agency wide understanding of the telework program and policy.\n       b. Establish a process for sampling and reviewing telework forms for adequacy and\n          accuracy.\n       c. Publicize the name of the designated Telework Managing Officer and provide\n          accurate contact information for future assistance.\n       d. Ensure the revised telework policy is free of redundancies and conflicting\n          requirements.\n       e. Issue an annual notice reminding supervisors of their responsibilities regarding\n          telework.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                              Page 19\n                           National Archives and Records Administration\n\x0c                                                                           OIG Audit Report 11-20\n\n\n3. Security of NARA\xe2\x80\x99s Work-at-Home System is Vulnerable\nAlthough NARA\xe2\x80\x99s Work-at-Home System (WAHS) was developed to enhance remote access\nsecurity and provide enterprise-wide telework capabilities, the system remains vulnerable to the\nthreats it was intended to mitigate. This condition exists because the WAHS was not fully\ndeveloped, tested, or administered in accordance with NARA policy and Federal requirements.\nAs a result, NARA\xe2\x80\x99s remote access system is at increased risk of security compromise and does\nnot meet the security capabilities and requirements that justified the system\xe2\x80\x99s development.\n\nNIST Special Publication 800-46, Guide to Enterprise Telework and Remote Access Security,\nidentifies the increased risk involved in implementing a remote access system. Specifically,\nNIST SP 800-46 states remote access servers provide a way for external hosts to gain access to\ninternal resources, so their security is particularly important. In addition to permitting\nunauthorized access to resources, a compromised server could be used to eavesdrop on remote\naccess communications and manipulate them, as well as to provide a \xe2\x80\x9cjumping off\xe2\x80\x9d point for\nattacking other hosts within the organization. Further, NIST SP 800-46 states the nature of\nremote access technology generally places it at higher risk than similar technologies only\naccessed from inside the agency.\n\nIn order to address the increased risks of providing a remote access capability, risks must be\nproperly identified and protected against. NIST SP 800-53, Recommended Security Controls for\nFederal Information Systems and Organizations, states it is of paramount importance that\nresponsible officials understand the risks and other factors that could adversely affect\norganizational operations and assets, individuals, other organizations, and the Nation. Officials\nmust understand the current status of their security programs and the security controls planned or\nin place to protect their information and information systems in order to make informed\njudgments and investments that mitigate risks to an acceptable level. Further, NIST SP 800-53\ncreates a foundation for the development and assessment methods and procedures for\ndetermining security control effectiveness.\n\nNARA policy incorporates many of the NIST standards and identifies a number of tools and\nprocedures used to manage the security of its programs and systems. NARA 804, Information\nTechnology (IT) Systems Security, identifies security risk assessments and the development of\nsystem security plans as two important activities used to ensure security measures are adequate.\nThe risk assessment influences the development of the security controls for particular\ninformation systems and generates much of the information needed for the associated system\nsecurity plans. System security plans provide an overview of the information security\nrequirements and describe the security controls in place or planned for meeting those\nrequirements.\n\nIn August 2008, NARA began the initial pilot phase of its current remote access capability,\nknown as the Work-At-Home-System (WAHS). The WAHS was developed to support\n\n                                              Page 20\n                           National Archives and Records Administration\n\x0c                                                                          OIG Audit Report 11-20\n\n\nNARANet users\xe2\x80\x99 ability to telework. The two fundamental business drivers for the WAHS\ninvolved emergency preparedness and the need to implement a more secure level of\nauthentication. To address these business drivers, the WAHS incorporates two major\ncomponents: 1) Citrix Access Suite and 2) RSA SecurID. The Citrix Access Suite provides\napplication streaming capabilities to deliver the NARANet General Support System (GSS) to\nremote desktops and laptops. This component also provides application security and access\ncontrol. The second component\xe2\x80\x94the RSA SecurID\xe2\x80\x94uses hardware tokens and an\nauthentication server in providing two-factor authentication to NARA\xe2\x80\x99s Citrix, Virtual Private\nNetwork (VPN), and web-based e-mail capabilities.\n\nIn addition to the business drivers, NH\xe2\x80\x94in drafting the WAHS proposal\xe2\x80\x94identified a number of\nnegative security implications if NARA did not adopt a new remote access approach. These\nimplications included:\n\n   \xe2\x80\xa2   NARA will be non-compliant with specific Office of Management and Budget (OMB)\n       mandates and Homeland Security Presidential Directives (HSPD) related to identification\n       and authentication procedures;\n   \xe2\x80\xa2   NARA will not have an enterprise-level remote access solution in place for its Work-at-\n       Home staff;\n   \xe2\x80\xa2   NARA staff members will be unable to access NARA@work or shared drives on\n       NARANet servers from remote locations;\n   \xe2\x80\xa2   NARANet e-mail will remain vulnerable to network and hacker attacks; and\n   \xe2\x80\xa2   NARA will not be able to protect Personally Identifiable Information (PII) and NARA\n       proprietary information from being distributed or compromised over its network and e-\n       mail system.\n\nOur review of the WAHS security requirements, testing, and administration found\xe2\x80\x94despite\nimplementing the WAHS\xe2\x80\x94many of the implications listed above remain. Specifically, NARA\xe2\x80\x99s\nelectronic authentication process remains noncompliant with HSPD-12. Further, although the\nWAHS requirements state the enterprise-level system shall support up to 3,000 users in the full\noperating capability implementation, the WAHS is currently only licensed to allow concurrent\nremote usage of approximately 8 percent of that requirement. Additionally, NARA\xe2\x80\x99s web-based\ne-mail application remains vulnerable to the same network and hacker attacks present prior to the\nWAHS implementation. Lastly, NARA remains unable to protect PII and NARA proprietary\ninformation from remote download, printing, or distribution.\n\n\n\n\nWAHS Security Requirements Development\n\n\n\n                                              Page 21\n                           National Archives and Records Administration\n\x0c                                                                            OIG Audit Report 11-20\n\n\nIn order to determine the early level of security control and requirements analysis that went into\nthe development of the WAHS, we requested requirements documentation from the WAHS\nProject Manager and IT Security Staff (NHI). Within the scope of system security, we reviewed\nthe following WAHS requirements documentation:\n\n   \xe2\x80\xa2   Full Proposal of the Work at Home project,\n   \xe2\x80\xa2   WAHS CONOPS and Initial Requirements Specification, and\n   \xe2\x80\xa2   WAHS Design Specification.\n\nIn addition to the fundamental business drivers and implications described earlier, the WAHS\nFull Proposal provides an overall summary of the selected solution. A portion of this summary\ndescribes how the Citrix Access Suite will provide application security and access control,\nallowing fine levels of policy-based control over the actions users can take with such items as\nprinting and e-mail attachments. However, during our review, while observing volunteer\nteleworkers working from their respective alternative worksites, we discovered NARA\nemployees still have the ability to print sensitive information (including PII) using the Citrix\napplication. This came as a surprise to NH officials\xe2\x80\x94therefore, one NH official confirmed the\nability to print while working from home. However, NH officials later stated \xe2\x80\x9capparently,\nprinting is suppose to be enabled per [the Deputy CIO] at his request.\xe2\x80\x9d Therefore, although the\nWAHS proposal details the ability to control remote printing, this is not something NARA\nutilizes. Further, although the Citrix application prevents teleworkers from downloading e-mail\nattachments onto their personal computers, NARA has not disabled its Novell web-based e-mail\napplication, which functions separately from Citrix and does not restrict downloads. Therefore,\nas observed during our site visits, teleworkers continue to download sensitive information onto\ntheir personal computers. When asked why NARA continues to allow use of the less secure\nNovell webmail application, NH officials initially stated they did not know, aside from \xe2\x80\x9cnobody\nreally wanted to let it go.\xe2\x80\x9d However, more recently, the same officials indicated discussions\nwere made about keeping the webmail application available so in a surge condition, e-mail\naccess would not be limited to the maximum number of concurrent users of the Citrix portal.\n\nThe second requirements document reviewed\xe2\x80\x94CONOPS and Initial Requirements\nSpecification\xe2\x80\x94describes the intended remote user access functions, remote user access services,\nand IT infrastructure components of the WAHS. In addition, the document contains initial\nrequirements of the system. A selection of these requirements\xe2\x80\x94as they relate to policy,\nstandards, scope, function, and security of the WAHS\xe2\x80\x94include:\n\n   \xe2\x80\xa2   The system shall provide two-factor authentication capabilities,\n   \xe2\x80\xa2   The system shall comply with all NARA Enterprise Architecture standards and\n       guidelines,\n   \xe2\x80\xa2   The system shall implement all applicable IT security controls as specified in the IT\n       Security Architecture,\n\n\n                                              Page 22\n                           National Archives and Records Administration\n\x0c                                                                             OIG Audit Report 11-20\n\n\n   \xe2\x80\xa2   The system shall complete all security certification and accreditation tasks prior to Initial\n       Operating Capability (IOC) and Full Operating Capability (FOC), and\n   \xe2\x80\xa2   The system shall support up to 3,000 users in the FOC implementation.\n\nOMB Memorandum M-06-16, \xe2\x80\x9cProtection of Sensitive Agency Information\xe2\x80\x9d requires agencies\nto allow remote access only with two-factor authentication where one of the factors is provided\nby a device separate from the computer gaining access. The WAHS utilizes passwords and\nPersonal Identification Numbers (PINs) as one of the two-factors. The second factor\xe2\x80\x94a device\nseparate from the computer gaining access\xe2\x80\x94is met by employing RSA hardware tokens.\nHowever, due to a recent sophisticated security breach that took place at the company that\nproduces the RSA tokens used by NARA, an NH official acknowledged the RSA token no\nlonger appears to be an effective component of a two-factor mechanism.\n\nBy no longer having a secure second factor, NARA is in effect relying on usernames and\npasswords to control remote access to the network. NH officials have indicated that NARA\xe2\x80\x99s\nremote access system is still secure because in addition to using the RSA token and PIN, NH\nnever removed the Novell username and password access requirement. However, requiring a\nuser to enter multiple passwords instead of only one does not compensate for an ineffective\ntoken device. User known passwords are vulnerable to\xe2\x80\x94among other things\xe2\x80\x94social\nengineering, shoulder surfing, and keylogging. In terms of keylogging and other malware, the\nWAHS was developed to allow access from any computer with an internet connection\xe2\x80\x94whether\nthat is a user\xe2\x80\x99s personal computer, the computer in a hotel lobby, or a computer at a public\nlibrary\xe2\x80\x94therefore, NARA has no control over the malware installed on the computers used in\nremotely accessing the network. An effective token generated access code mitigates these risks;\nhowever, user known passwords and PINs alone remain vulnerable.\n\nIn terms of complying with NARA Enterprise Architecture standards, NARA IT Security\nRequirements state the NARANet GSS shall provide multifactor access control as a common\ncontrol for remote and local access to the network. Further, the multifactor access mechanisms\nshall include credentials from HSPD-12 compliant Personal Identity Verification (PIV) cards.\nThe WAHS CONOPS (dated February 28, 2008) state the RSA SecurID tokens are an \xe2\x80\x9cinterim\nsolution\xe2\x80\x9d until NARA is able to implement PIV remote access authentication. Although HSPD-\n12 had established the requirement in 2004, when asked when this upgrade was expected to take\nplace, an NH official stated it would be delayed until OMB \xe2\x80\x9c[tells] us to implement it whether\nwe like it or not\xe2\x80\x9d and sets a final deadline. OMB Memorandum 11-11 \xe2\x80\x9cContinued\nImplementation of Homeland Security Presidential Directive (HSPD) 12\xe2\x80\x94Policy for Common\nIdentification Standard for Federal Employees and Contractors,\xe2\x80\x9d dated February 3, 2011,\nestablishes this deadline as October 1, 2011.\n\nIn addition, Enterprise Architecture IT Security Policies identify a number of NARA IT security\nobjectives that apply to the WAHS. In particular, NARA must ensure that managers and users of\nNARA information systems are made aware of the security risks associated with their activities.\n\n                                              Page 23\n                           National Archives and Records Administration\n\x0c                                                                            OIG Audit Report 11-20\n\n\nFurther, NARA must ensure that personnel are adequately trained to carry out their assigned\ninformation security-related duties and responsibilities. NH officials indicated that other than a\nhandout included with the distributed RSA tokens, no remote access IT security training has\nbeen developed or provided to teleworkers or their supervisors.\n\nWAHS Project Management personnel were unable to provide exact dates of IOC or FOC;\nhowever, based on NARA Notices, the fully operational system was deployed in September\n2009. Further, Project Management and NH personnel were unable to provide certification and\naccreditation documentation specific to the WAHS. The April 8, 2010 System Security Plan\n(SSP) for Network Infrastructure\xe2\x80\x94which NH officials stated encompasses the WAHS\xe2\x80\x94\nindicates that several components of the Network Infrastructure have already been certified and\naccredited as independent systems; however, the WAHS is not included in the list. Further, all\nmention of the WAHS in the SSP states the project is still under development, despite the\nWAHS reaching FOC seven months before the SSP update.\n\nThe Initial Requirements Specification indicates the WAHS will support up to 3,000 users. Both\nNA officials and NH officials stated the telework program and the supporting WAHS were\ndeveloped independently from one another. This requirement reflects that lack of coordination,\nas according to the most recent data obtained from NA, the greatest number of employees\nactually teleworking in a given year since the program\xe2\x80\x99s inception was 334. Further, NH\nofficials determined the greatest number of concurrent users was only 115. According to NH\nofficials, NARA is currently licensed to accommodate 250 simultaneous users. Although this\nmore precisely reflects actual usage, the WAHS must be able to support NARA\xe2\x80\x99s telework\nprogram once it is fully compliant with the Telework Enhancement Act.\n\nIn their recently updated Dismissal and Closure Procedures\xe2\x80\x94with the advent of \xe2\x80\x9cunscheduled\ntelework\xe2\x80\x9d\xe2\x80\x94OPM states agencies should ensure IT infrastructure is in place to allow large\nnumbers of employees to telework simultaneously. NH officials stated there is a point in which\na high volume of concurrent usage would result in a degradation of WAHS performance, but NH\nhas yet to determine actual system capacity. The chart below depicts the most recent tabulation\nof telework eligible employees in comparison to the number of Citrix Application simultaneous\nuser licenses (see Chart 1 below). The number of eligible telework staff will likely increase once\nNARA fully conforms to Federal telework mandates.\n\n\n\n\n                                              Page 24\n                           National Archives and Records Administration\n\x0c                                                                              OIG Audit Report 11-20\n\n\nChart 1: Telework Eligible Staff in Relation to Citrix Users Licensed\n\n\n\n\n                                                                   Citrix\n                                                                Unlicensed,\n         Telework Ineligible, Telework Eligible,                                   Citrix\n                                                                    804          Licensed,\n               2483                1054\n                                                                                    250\n\n\n\n\nThe third requirements document reviewed\xe2\x80\x94the WAHS Design Specification\xe2\x80\x94details the\ndesign of the WAHS. The information contained in the document reflects the requirements and\nrestraints of the CONOPS mentioned previously. Further, the Design Specification document\nincludes a list of \xe2\x80\x9cto-be-determined (TBD) items.\xe2\x80\x9d The list was used to identify and track all\nTBD items uncovered during the development of the WAHS. The document states all open\nquestions and issues should be identified, documented, and tracked to completion within the\nWAHS Design Specification Appendix. The version dated April 23, 2008 contained 32 TBD\nitems in the \xe2\x80\x9copen\xe2\x80\x9d status. Many of these open items related to system security. WAHS\nmanagement personnel were unable to provide updates to the Design Specification document\nindicating these items were ever closed.\n\nSecurity Testing\n\nNARA\xe2\x80\x99s Enterprise Architecture IT Security Requirements contain security assessment\nrequirements for the agency\xe2\x80\x99s IT programs. Specifically, the requirements state for all data, NHI\nshall develop a security assessment plan. Further, NHI is required to, at least annually, assess the\nsecurity controls in the information system to determine the extent to which the controls are\nimplemented correctly, operating as intended, and producing the desired outcome with respect to\nmeeting the security requirements for the system. NHI is required to produce a security\nassessment report that documents the results of the assessment.\n\nNH personnel provided two documents that detailed security testing results, both of which took\nplace prior to the WAHS entering production. These documents included: 1) Risk Assessment\n\n\n                                                Page 25\n                             National Archives and Records Administration\n\x0c                                                                                  OIG Audit Report 11-20\n\n\nResults, dated July 8, 2008 and 2) Security Assessment Plan and Procedures, also dated July 8,\n2008. The Risk Assessment contained 16 different risk elements, ranging from unsuccessful\nlogin attempts to configuration change control. The assessment of nearly all risk elements\nindicated the WAHS was not in production and that it resided only in a test environment with no\noutside connections. As a result, the vast majority of the assessments concluded that the controls\nshould be revisited once the system is in production. NH personnel were unable to provide\ndefinitive support that these controls were reassessed once the WAHS entered production.\n\nAs with the Risk Assessment, the Security Assessment Plan and Procedures report tested the\nrequirements derived from NARA Security Architecture and NIST 800-53. A number of the\nrequirements tested either failed or were deferred. Again, reasons for the deferred results were\noften explained by the WAHS not being in production at the time and that once in production,\nthe controls would be implemented. However, NH personnel were unable to provide support\nthat such actions actually took place. Further, NH personnel explained the WAHS is somewhat\nof anomaly, as most systems never have deferred testing 2. NH personnel stated \xe2\x80\x9ca lot of people\nsaid we have to hurry up and test this thing, but a lot of the mechanisms weren\xe2\x80\x99t in place.\xe2\x80\x9d\n\nFurther, some of the requirements tested during the Security Assessment were identified as\npassing, when current data indicates that they are not. Examples include patch management and\nauditable events. The flaw remediation category tested in the WAHS Security Assessment\nrequires organizations to promptly install newly released security relevant patches. The results\nfor this test indicated a pass rating, noting that patches will be installed once the system is\ntransitioned into production. However, in a November 2010 NARA Information Security audit\nperformed by GAO, the Citrix VPN server and client\xe2\x80\x94key components of NARA\xe2\x80\x99s WAHS\xe2\x80\x94\nwere specifically identified as missing security patches. In addition, under the auditable events\ncategory tested in the WAHS Security Assessment, one of the associated requirements indicated\nthat the information system generates audit records for events such as unsuccessful login\nattempts. Although the test results for this requirement indicated the Citrix Appliance passed,\nNH officials stated this capability only became available in March 2011\xe2\x80\x94nearly three years after\nthe testing took place.\n\nWAHS Administration\n\nIn addition to assessing the documented security requirements and associated test plans, we also\nreviewed the ongoing administration of the WAHS as it relates to security control. NH\npersonnel provided information and documentation that pertains to continuous efforts taken to\nensure NARA\xe2\x80\x99s remote access system remains secure. Such procedures and documents are\ndetailed below.\n\n2\n  NARA OIG Audit Report No. 09-15, \xe2\x80\x9cAudit of NARA\xe2\x80\x99s Work-at-Home System,\xe2\x80\x9d dated September 29, 2009,\nidentified concerns related to the WAHS not meeting OMB and NIST requirements prior to full implementation.\nAlthough management concurred with the recommendation to ensure requirements were met, WAHS documentation\nindicates a number of deferred and failed security testing at the time of implementation.\n\n                                                Page 26\n                             National Archives and Records Administration\n\x0c                                                                             OIG Audit Report 11-20\n\n\nWhen discussing the identified issues in the requirements and test documentation, NH officials\nstated the WAHS security documentation has been superseded by the SSP. NH personnel\nindicated that the WAHS falls under the SSP for Network Infrastructure. Although the Network\nInfrastructure SSP is dated April 8, 2010, the plan has not been updated to reflect the WAHS.\nFor example, the SSP states \xe2\x80\x9ccurrently, NARA employs a VPN solution that does not employ a\ntwo-factor authentication scheme.\xe2\x80\x9d In addition, the SSP states \xe2\x80\x9cNARA currently has a project\nunderway to develop a remote access capability to support users\xe2\x80\x99 ability to telework.\xe2\x80\x9d However,\naccording to NH officials, the WAHS was in full operation by September 2009, therefore, this\nshould have been reflected in the April 2010 SSP. Further, although NH officials stated the SSP\nsupersedes the earlier security documentation, the SSP specifically states \xe2\x80\x9cfor more information\non this solution, and a detailed discussion of the design and security mechanisms, please refer to\nthe following documents,\xe2\x80\x9d which include the WAHS CONOPS and Initial Requirements\nSpecification, Work At Home Full Proposal, and WAHS Design Specification detailed earlier.\n\nShortly before the WAHS went into initial production, the WAHS Business Process Owner\nentered into a Service Level Agreement (SLA) with the Office of Information Technology\nServices Division (NHT). According to the August 4, 2008 SLA, in order to ensure the security\nof hosting platforms and operational infrastructure, certain activities (running scans, installing\nsecurity patches, monitoring activity, etc.) were to be conducted prior to transitioning the WAHS\nto an operational state. As the service provider, NHT was responsible for performing these\nactivities; however, NH officials stated many of these security activities were actually the\nresponsibility of NHI.\n\nIn terms of installing security patches, NIST 800-46, Guide to Enterprise Telework and Remote\nAccess Security, states it is particularly important for organizations to ensure that remote access\nservers are kept fully patched. However, as mentioned earlier, GAO identified key components\nof NARA\xe2\x80\x99s WAHS were missing security patches. NH officials stated patch management is an\nissue on all NARA servers and the issue is being addressed through their plan of action and\nmilestones process.\n\nIn addition, the SLA states if there are any findings or security vulnerabilities discovered on the\nWAHS after it has been placed in an operational state, NH will take immediate steps to secure\nthe platform. One vulnerability impacting the WAHS\xe2\x80\x94which was mentioned previously\xe2\x80\x94is the\nRSA token breach. When the breach became known, US CERT issued required mitigation\nprocedures to agencies employing RSA tokens. Although these mitigation procedures were\nidentified in March 2011, some have yet to be implemented at NARA. These include requiring\n\n                                        NH indicated that the impact of these changes are still\nunder review by the CISO and are not yet implemented. NH officials stated they are waiting to\nsee how events progress. However, during this time the network of a major military contractor\nthat also uses the RSA token was hacked. The network compromise occurred despite the\naddition of a secondary password to its remote log-in process.\n\n                                               Page 27\n                            National Archives and Records Administration\n\x0c                                                                            OIG Audit Report 11-20\n\n\nNH officials informed US CERT that one of the mitigation efforts NARA has undertaken to\naddress the RSA vulnerability is to enable extensive logging. Specifically, this includes\nextensive logging for all enterprise authentication servers and collection of IP addresses of the\nsystem accessing the service, the username, the resource accessed, and whether the attempt was\nsuccessful or not. However, when log reports were requested, NH officials indicated the log\ncapability for Citrix logging server has a \xe2\x80\x9cbroken\xe2\x80\x9d password. The NH official stated they\n\xe2\x80\x9cbelieve the logs are there, we just don\xe2\x80\x99t have access to log into the server.\xe2\x80\x9d This has been the\nsituation since at least the beginning of May 2011. NH officials did, however, provide logs\ngenerated by the RSA authentication server, although these did not\n                     . Further, the RSA authentication is only one component of the process. If\nthe RSA authentication is compromised, NH officials indicated they\n\n                    .\n\nFurther, while other RSA clients are urgently lining up to replace their compromised tokens, in\nresponse to the Committee on National Security Systems, NH officials stated NARA did not\nneed to be on the priority list. NH officials indicated there was less urgency because NARA\xe2\x80\x94\nlike the hacked military contractor mentioned earlier\xe2\x80\x94has an additional password credential in\nplace. Additionally, NH officials indicated a plan is in place at NARA to deploy an alternative.\nNH officials stated they will be deploying the infrastructure to support the HSPD-12 compliant\nPIV card in less than six months, by the mandatory October 1, 2011 deadline. However, NH\nofficials stated an enterprise-wide capability is dependent upon the acquisition of card readers\nand middleware, which reflect a significant life-cycle cost.\n\nImpact of WAHS Vulnerabilities\n\nNIST recognizes that remote access servers provide a way for external hosts to gain access to\ninternal resources; therefore, their security is particularly important. However, despite the added\nrisk associated with remote access, NARA did not thoroughly develop and test the WAHS in\naccordance with security policy. The WAHS was rushed through security assessment testing by\ndeferring many key security tests. Once the system went into production, there is little evidence\nthe deferred testing was ever reassessed. NH officials stated the remote access security is\nencompassed within the SSP, however, the plan does not reflect the remote access controls and\nsystem currently in place. Now that the system is fully operational, identified vulnerabilities\nremain unmitigated and inadequate responses to new threats leaves the WAHS susceptible to\ncompromise.\n\nRecommendations\n\n3. We recommend the Executive for Information Systems and Chief Information Officer (I) and\n   the Executive for Business Support Services (B):\n\n\n\n                                              Page 28\n                           National Archives and Records Administration\n\x0c                                                                       OIG Audit Report 11-20\n\n\n      a. Ensure all deferred and failed security tests have been reassessed and the results\n         documented.\n      b. Update SSP to reflect NARA\xe2\x80\x99s remote access system.\n      c. Ensure all RSA breach mitigating procedures reported to US CERT are implemented\n         and functioning.\n      d. Monitor compliance with HSPD-12 to ensure established deadlines are met.\n      e. Review Citrix security configurations for adequacy.\n      f. Ensure WAHS patches are current and monitored.\n      g. Develop a plan with General Counsel (NGC) to protect PII and NARA proprietary\n         information from being distributed or compromised over the network and e-mail\n         system.\n      h. Establish a cross functional team with the Office of Human Capital (H) to ensure\n         remote access capabilities will meet increased NARA telework demands and to\n         ensure appropriate security guidance is included in NARA telework policy.\n\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                           Page 29\n                        National Archives and Records Administration\n\x0c                                                                                            OIG Audit Report 11-20\n\n\nAppendix A \xe2\x80\x93 GAO Key Telework Practices for\nImplementation of Successful Federal Telework Programs\n\nProgram planning\n\xe2\x80\xa2 Designate a telework coordinator.\n\xe2\x80\xa2 Establish a cross-functional project team, including, for example, information technology (IT), union representatives,\n  and other stakeholders.\n\xe2\x80\xa2 Establish measurable telework program goals.\n\xe2\x80\xa2 Develop an implementation plan for the telework program.\n\xe2\x80\xa2 Develop a business case for implementing a telework program.\n\xe2\x80\xa2 Provide funding to meet the needs of the telework program.\n\xe2\x80\xa2 Establish a pilot program.\nTelework policy\n\xe2\x80\xa2 Establish an agency-wide telework policy.\n\xe2\x80\xa2 Establish eligibility criteria to ensure that teleworkers are selected on an equitable basis using criteria such as\n  suitability of tasks and employee performance.\n\xe2\x80\xa2 Establish policies or requirements to facilitate communication among teleworkers, managers, and coworkers.\n\xe2\x80\xa2 Develop a telework agreement for use between teleworkers and their managers.\n\xe2\x80\xa2 Develop guidelines on workplace health and safety issues to ensure that teleworkers have safe and adequate\n  places to work off-site.\nPerformance management\n\xe2\x80\xa2 Ensure that the same performance standards, derived from a modern, effective, credible, and validated\n  performance system, are used to evaluate both teleworkers and non-teleworkers.\n\xe2\x80\xa2 Establish guidelines to minimize adverse impact on non-teleworkers before employees begin to work at alternate\n  worksites.\nManagerial support\n\xe2\x80\xa2 Obtain support from top management for a telework program.\n\xe2\x80\xa2 Address managerial resistance to telework.\nTraining and publicizing\n\xe2\x80\xa2 Train all involved, including, at a minimum, managers and teleworkers.\n\xe2\x80\xa2 Inform workforce about the telework program.\nTechnology\n\xe2\x80\xa2 Conduct assessment of teleworker and organization technology needs.\n\xe2\x80\xa2 Develop guidelines about whether organization or employee will provide necessary technology, equipment, and\n  supplies for telework.\n\xe2\x80\xa2 Provide technical support for teleworkers.\n\xe2\x80\xa2 Address access and security issues related to telework.\n\xe2\x80\xa2 Establish standards for equipment in the telework environment.\nProgram evaluation\n\xe2\x80\xa2 Establish processes, procedures, and/or a tracking system to collect data to evaluate the telework program.\n\xe2\x80\xa2 Identify problems and/or issues with the telework program and make appropriate adjustments.\nSource: GAO analysis of telework-related literature and guidelines.\n\n\n\n\n                                                    Page 30\n                                 National Archives and Records Administration\n\x0c                                                              OIG Audit Report 11-20\n\n\nAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report\n\n\n\n\n                                  Page 31\n               National Archives and Records Administration\n\x0c                                                                         OIG Audit Report 11-20\n\n\nAppendix C - Report Distribution List\n\nArchivist of the United States (N)\nDeputy Archivist of the United States (ND)\nChief Operating Officer (C)\nChief Human Capital Officer (H)\nExecutive for Information Services and Chief Information Officer (I)\nExecutive for Business Support Services (B)\nPerformance and Accountability Office (CP)\n\n\n\n\n                                             Page 32\n                          National Archives and Records Administration\n\x0c'